Aside from the trolls who frequent forums and blogs, it’s mainly the enterprise community which carries the lingering perception, rightly or wrongly, that PHP security sucks. As PHP continues to evolve toward the enterprise, it’s going through a slow and messy collision with enterprise culture, standards and criticism. Naturally, PHP and the community have been absorbing lessons and improving, though one of the least understood aspects of this is security and security perceptions. I hope that by discussing security, PHP’s progress can be made smoother and easier than otherwise.Continue Reading…

I’m looking forward to seeing everyone at ZendCon 2009, “the premier PHP conference”. I was selected to present a session:

Enterprise-Class PHP Security

Oxymoron no more! Learn what high-stakes organizations expect when evaluating the security of PHP applications. We’ll cover formal standards and processes, and tips on how to successfully navigate through the minefield.

I delivered my updated talk – Crypto Your PHP – at the php|tekUnconference in Chicago on Thursday, May 21st. It was selected by a voting process from a field that included many well-known community leaders. In other words I was lucky to have the opportunity. Kudos to everyone who submitted talks and thanks to those who voted, attended and organized!

Synopsis:

If you’d like a refresher on crypto capabilities and practices in PHP, or if you’d like some tips on the topic from a former security engineer, this talk is for you. We’ll discuss a few common scenarios such as data transit, data storage, and password authentication. We’ll explore the rich variety of crypto-enabled functions available to PHP. We’ll see why some crypto algorithms are better than others. And we’ll discuss the practices of good crypto implementation and the clues that indicate when it’s not a good idea to build it alone.

The title isn’t just a rhetorical question; I actually describe who would say such a thing about PHP security. I also explain what about this perception is distorted and what isn’t – and how the PHP community can accelerate its growth into a market where it’s just becoming a contender.

I just gave a talk on PHP cryptography via webcast, as part of the free webcast series for the php|tek conference. Thanks to Keith Casey for the kind intro and for organizing the webcast series. I hope to see many of you at tek in May – I’ll submit an updated version of this talk for the php|tek Unconference.

A video recording will be posted on the webcast web page and at Blue Parabola, and the slides are here. Please feel free to ask questions and to leave any other feedback as comments to this post.

Includes a quick-and-easy signup for the DC PHP Developers’ Group email list

Has a directory of DC PHP developers and the companies we work for (I’m the moderator)

On a semi-related note, I’m now organizing DC PHP Beverage Subgroup meetings in Washington, DC. This is nothing formal, just an opportunity for DC PHP community members and friends to gather socially. The first meeting I organized was at R.F.D. Washington on March 3rd which coincided with a large and friendly gathering of people who were in town for DrupalCon.

For any of you not familiar with the BarCamp movement, this was a volunteer-run tech community gathering based on the principle that every participant should actively contribute in some way to the event. Newcomers especially are encouraged to give a talk or to facilitate a discussion.

I’m not pretending to be a Join-fu Drunken Query Master at this point, but I’ve had success dealing with poorly performing database-driven applications, based on research and tweaking. The slides are a slightly prettified version of notes I originally collected for myself. YMMV.

I’d love to learn about your experiences, and I think the community would also like to see whatever you can share.

Application security sucks because it’s a wicked hard problem to mix the goals of security and application development within real-life projects.

If application development is about making an app do what it’s supposed to do, then application security is about making sure an app doesn’t do what it’s not supposed to do, despite real world conditions which may be hostile and chaotic.

“Hard core” security has become a massively complex black art with its own priesthood. As a result, the security community has generated an enormous volume of arcane information about security vulnerabilities and countermeasures.

Many conference presentations, books and articles about application security have tried to boil that down for the developer community, with excellent coverage of the top several types of security flaws. But security has a long tail, so that approach leaves vast territory uncovered.

That approach also doesn’t necessarily give developers the context and perspective necessary to judge the costs and benefits of security, and to make sound decisions about what really does or doesn’t need to be done. So I decided to address application security in a different way.

The goal of this talk is to help you wrap your brain around core concepts of application security, and thereby to make it easier to deal with correctly.

The talk begins with “What is Security, Really?”, poking fun at misconceptions and presenting the idea that security is keeping bad events to a minimum despite even skillful attempts to cause them.

Then it covers fundamental concepts and practices including: how to identify what needs protection; vulnerabilities and countermeasures with PHP examples; and how to avoid security excess by considering risk in a consistent way.

By the end, you should have a conceptual framework for application security that will at the same time simplify the problem space and provide more rigorous results.